It was tls renewal time once again in the past so i decided to switch suppliers (my third) and go for sslmate after all i you find horrible holes in systemd then you need to be rewarded. I had no idea what i was letting myself in for but in fact it is way better than letsencrypt (my blog) as it uses email contacts instead of some shit http server to validate.
This is paid for rather than ‘free’ and the sslmate does work nicely as a cli although dont ask it to make a postfix tls instance. If you use microsoft windows then your not intelligent enough imho.
Once you have an account (a website job) and the software you just ask for mail10.zoo1 and it creates the csr and once validated by the carbon based unit it takes the money and deposits four files on your computer.
Being weird i use mail10.zoo1 for email tls and generally know what i am supposed to be doing but it should work as a www thing if your average.
Comodo issue the certificates and most of my changes worked on the first attempt. Comodo’s new owner is an issue.
That’s basic usage for one host. You can also specify a spending limit per day so if you have issues like that then a low amount means your get an email saying so.
I need multi host ssl for .zoo and they offer it at a most reasonable price so .zoo and mail10.zoo will all be covered with tls. Doing this with other resellers would mean an expensive wildcard cert that would unused or two standard ssl certs and while it is not that hard i want something better.
Multi host as an experiment did not work the way i expected and the firm did not respond to my email. However i have enough brains to work around the issue.
Generally i can do dane (my blog) and so website ssl but only on http://www.zoo not .zoo. it was not worth the extra money to add it but config wise with the extra hosts in the certificate it makes hashing of tlsa easy.
Next year i do not see much point in long term certs as things change say sha1 replaced with 256 so at some point your going to replace the cert with a new one but new hash. Its still work.
I was able to get a cert and the chain files and adjust configs rather than be inflicted with apache configs and unknown postfix something that other things insist on fixing despite me knowing what i am doing.
Would i do it again – individual is cheaper and perhaps worth setting up say www. and *.zoo so this is not a total waste of time one i will put down to experience despite wasting http://www.mail10.zoo as an unused address.
The more complex the cli command the less intuitive it becomes and the documentation on the website is lacking but kind of guessable.
Maybe i go for a wildcard ssl next time.
Both times i got a pdf invoice.